Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google results redirects to ad sites


  • This topic is locked This topic is locked
2 replies to this topic

#1 Rani09

Rani09

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 30 May 2010 - 06:13 PM

Hi,
My computer got recently effected by fake virus alert/spyware i guess. i had installed spybot which had cleaned my system to some extent.
Later i noticed that on using google on my IE browser it displays the search results well but on clicking any of the links it redirects to some random site.
I had browsed through several sites to understand the fix. i had downloaded combofix and executed. i have the log with me now.
let me know if i can have anybody analyze the log and propose the next action.
Thanks in advance


--------------
Combo fix log. Also attached is the quarantine log below


ComboFix 10-05-29.05 - Durgarani 05/31/2010 4:02.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1387 [GMT 5.5:30]
Running from: d:\temp\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\agucusaf.scr
c:\winnt\cymavuboxe._sy
c:\winnt\ifug._sy
c:\winnt\jafo.scr
c:\winnt\system32\drivers\etc\lmhosts
c:\winnt\system32\ndisapi.dll
c:\winnt\system32\taskmrg.exe
c:\winnt\wiaservv.log

Infected copy of c:\winnt\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD


((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.

2010-05-27 04:55 . 2010-05-27 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-27 04:55 . 2010-05-27 04:58 -------- d-----w- C:\SpybotSearchDestroy
2010-05-23 19:08 . 2010-05-23 19:08 -------- d-----w- c:\documents and settings\wipro\Local Settings\Application Data\PCHealth
2010-05-16 03:33 . 2010-05-16 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2010-05-15 03:03 . 2010-05-15 03:03 5642000 ----a-w- c:\documents and settings\wipro\Application Data\TVU Networks\TVU AutoUpgrade\TVUPlayer2.5.3.1.exe
2010-05-05 03:17 . 2010-05-05 05:59 -------- d-----w- c:\documents and settings\wipro\.fuego
2010-05-05 03:11 . 2010-05-05 03:11 -------- d-----w- c:\program files\Oracle
2010-05-05 03:05 . 2010-05-05 03:11 -------- d--h--w- c:\program files\Zero G Registry
2010-05-05 03:05 . 2010-05-05 03:05 -------- d--h--w- c:\documents and settings\wipro\InstallAnywhere
2010-05-01 03:45 . 2010-05-01 03:45 -------- d-----w- c:\program files\Veoh Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 22:47 . 2007-07-20 12:55 -------- d-----w- c:\program files\Symantec AntiVirus
2010-05-16 03:33 . 2008-08-31 01:13 -------- d-----w- c:\program files\TVUPlayer
2010-05-12 05:51 . 2009-10-28 16:54 221568 ------w- c:\winnt\system32\MpSigStub.exe
2010-05-07 03:01 . 2009-10-12 16:04 -------- d-----w- c:\documents and settings\wipro\Application Data\webex
2010-04-23 10:22 . 2010-04-23 10:22 2898232 ----a-w- c:\documents and settings\wipro\Application Data\Mozilla\Firefox\Profiles\9aslcapw.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2010-04-21 00:45 . 2010-04-21 00:45 439816 ----a-w- c:\documents and settings\wipro\Application Data\Real\Update\setup3.10\setup.exe
2010-04-19 07:13 . 2010-04-19 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2010-04-19 07:10 . 2010-04-19 07:10 -------- d-----w- c:\program files\Avanquest update
2010-04-19 07:10 . 2007-07-20 12:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-19 07:10 . 2010-04-19 07:09 -------- d-----w- c:\program files\Motorola Phone Tools
2010-04-19 07:09 . 2010-04-19 07:09 25600 ----a-w- c:\documents and settings\wipro\usbsermptxp.sys
2010-04-19 07:09 . 2010-04-19 07:09 22768 ----a-w- c:\documents and settings\wipro\usbsermpt.sys
2010-04-19 07:09 . 2010-04-19 07:09 5936 ----a-w- c:\documents and settings\wipro\mqdmwhnt.sys
2010-04-19 07:09 . 2010-04-19 07:09 9232 ----a-w- c:\documents and settings\wipro\mqdmmdfl.sys
2010-04-19 07:09 . 2010-04-19 07:09 92064 ----a-w- c:\documents and settings\wipro\mqdmmdm.sys
2010-04-19 07:09 . 2010-04-19 07:09 79328 ----a-w- c:\documents and settings\wipro\mqdmserd.sys
2010-04-19 07:09 . 2010-04-19 07:09 66656 ----a-w- c:\documents and settings\wipro\mqdmbus.sys
2010-04-19 07:09 . 2010-04-19 07:09 6208 ----a-w- c:\documents and settings\wipro\mqdmcmnt.sys
2010-04-19 07:09 . 2010-04-19 07:09 4048 ----a-w- c:\documents and settings\wipro\mqdmcr.sys
2010-04-18 05:24 . 2008-01-11 07:03 45616 ----a-w- c:\documents and settings\wipro\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-17 09:48 . 2010-04-17 09:48 8854 ----a-r- c:\documents and settings\wipro\Application Data\Microsoft\Installer\{25938CAD-DAA0-41EC-A3AB-95997894A541}\Uninstall_FileVerifi_25938CADDAA041ECA3AB95997894A541.exe
2010-04-17 09:48 . 2010-04-17 09:48 40960 ----a-r- c:\documents and settings\wipro\Application Data\Microsoft\Installer\{25938CAD-DAA0-41EC-A3AB-95997894A541}\TCSFileVeriferSTP.ex_25938CADDAA041ECA3AB95997894A541.exe
2010-04-17 09:48 . 2010-04-17 09:48 40960 ----a-r- c:\documents and settings\wipro\Application Data\Microsoft\Installer\{25938CAD-DAA0-41EC-A3AB-95997894A541}\NewShortcut21_25938CADDAA041ECA3AB95997894A541.exe
2010-04-17 09:48 . 2010-04-17 09:48 40960 ----a-r- c:\documents and settings\wipro\Application Data\Microsoft\Installer\{25938CAD-DAA0-41EC-A3AB-95997894A541}\NewShortcut2_25938CADDAA041ECA3AB95997894A541.exe
2010-04-17 09:48 . 2010-04-17 09:48 40960 ----a-r- c:\documents and settings\wipro\Application Data\Microsoft\Installer\{25938CAD-DAA0-41EC-A3AB-95997894A541}\ARPPRODUCTICON.exe
2010-04-17 09:48 . 2010-04-17 09:48 -------- d-----w- c:\documents and settings\wipro\Application Data\FileVerifier STP
2010-04-14 15:44 . 2008-01-08 13:33 -------- d-----w- c:\documents and settings\wipro\Application Data\Yahoo!
2010-04-14 13:33 . 2008-01-08 13:07 -------- d--h--r- c:\documents and settings\All Users\Application Data\yahoo!
2010-04-14 13:33 . 2007-07-27 09:19 -------- d-----w- c:\program files\Yahoo!
2010-04-14 13:33 . 2008-01-08 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-14 03:51 . 2007-07-25 11:45 58199 ----a-w- c:\winnt\java\lib\wieabkp.dat
.
CODE

c:\winnt\system32\CCM\Cache\CEN000EC.1.System\SMSsrv 1.0 .exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]
@="{80E008A4-EAE7-4867-AEB0-1A245F070F25}"
[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]
2005-09-14 09:27 520192 ----a-w- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]
@="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}"
[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]
2005-09-14 09:27 520192 ----a-w- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]
@="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}"
[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]
2005-09-14 09:27 520192 ----a-w- c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\YspService.exe" [2010-04-01 243000]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [N/A]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [N/A]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-04-28 2633976]
"SpybotSD TeaTimer"="c:\spybotsearchdestroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\winnt\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\winnt\system32\igfxpers.exe" [2006-03-23 118784]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-07-16 573440]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2007-03-14 125632]
"Synchronization Manager"="c:\winnt\system32\mobsync.exe" [2008-04-14 143360]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [N/A]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"igfxhkcmd"="c:\winnt\system32\hkcmd.exe" [2006-03-23 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-07 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-02-19 438272]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-29 198160]
"Wipro e-AssetTracker"="c:\winnt\Java\lib\e-Asset.exe" [2004-10-06 28748]
"Oracle BPM COM Bridge (4065)"="d:\orabpmstudiohome\bin\combridge.exe" [2010-05-05 294912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-04-10 3900776]

c:\documents and settings\wipro\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2009-1-19 42168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2007-7-20 593920]
Wipro VPN Client.lnk - c:\program files\Wipro\Wipro VPN Client\vpngui.exe [2007-7-20 1528880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\JavaSoft\\JRE\\1.3.1_18\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R0 O2MDRDR;O2MDRDR;c:\winnt\system32\drivers\o2media.sys [2/27/2006 12:30 PM 34880]
R0 O2SDRDR;O2SDRDR;c:\winnt\system32\drivers\o2sd.sys [2/20/2006 1:31 PM 29056]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2/19/2008 3:45 PM 106496]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 Astdi;Astdi;c:\program files\Aventail\Connect\asnttdi.sys [7/10/2003 6:29 PM 126162]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/28/2010 8:17 AM 102448]
R3 urvpndrv;F5 Networks VPN Adapter;c:\winnt\system32\drivers\covpndrv.sys [8/20/2009 9:49 PM 33920]
S3 Ascrypto;Ascrypto;c:\program files\Aventail\Connect\ascrypto.sys [7/10/2003 6:30 PM 219284]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\winnt\system32\drivers\urfltw2k.sys [11/24/2009 1:48 PM 10752]
S3 RemoteGetMacIDService;RemoteGetMacIDService;c:\winnt\system32\RemoteGetMacIDService.exe [7/30/2007 2:31 PM 110592]
.
Contents of the 'Scheduled Tasks' folder

2010-05-14 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-04-19 c:\winnt\Tasks\At1.job
- c:\winnt\SMSSLP\sms.bat [2010-03-11 11:59]

2010-05-30 c:\winnt\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 13:50]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {3D67F67F-8997-4210-BB3C-48CBAB234FE2} - hxxp://ec-ls1.wipro.com/easset/jassetcab.cab
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
FF - ProfilePath - c:\documents and settings\wipro\Application Data\Mozilla\Firefox\Profiles\9aslcapw.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: network.proxy.ftp - 172.17.101.47
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - 172.17.101.47
FF - prefs.js: network.proxy.gopher_port - 80
FF - prefs.js: network.proxy.http - 172.17.101.47
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - 172.17.101.47
FF - prefs.js: network.proxy.socks_port - 80
FF - prefs.js: network.proxy.ssl - 172.17.101.47
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\wipro\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava11.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava12.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava131_18.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npoji600.dll
FF - plugin: c:\program files\TVUPlayer\npTVUAx.dll
FF - plugin: d:\google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)
SafeBoot-TDSSmqlt.sys
SafeBoot-TDSSoiqh.sys
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-31 04:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\TEMP\TMP00000050C6BE92EEE0EACF87 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A52ED01]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba91cf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba711852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(11768)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\program files\Perforce\p4exp.dll
c:\program files\Aventail\Connect\asdns.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\WPDShServiceObj.dll
d:\winscp\DragExt.dll
c:\winnt\system32\OneX.DLL
c:\winnt\system32\eappprxy.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Aventail\Connect\as32svc.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\winnt\system32\msdtc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Wipro\Wipro VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\winnt\system32\o2flash.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\winnt\system32\CCM\CcmExec.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\winnt\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-05-31 04:29:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-30 22:59

Pre-Run: 14,304,931,840 bytes free
Post-Run: 14,188,904,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FCDAC61C2FA471A8DF6C9BFD1D368398



--------------------
Quarantine log

2010-05-30 22:58:45 . 2010-05-30 22:58:45 1,244 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{7B63B2922B174135AFC0E1377DD81EC2}.reg.dat
2010-05-30 22:57:14 . 2010-05-30 22:57:14 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-TDSSoiqh.sys.reg.dat
2010-05-30 22:57:13 . 2010-05-30 22:57:13 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-TDSSmqlt.sys.reg.dat
2010-05-30 22:56:58 . 2010-05-30 22:56:58 332 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-WgaLogon.reg.dat
2010-05-30 22:42:04 . 2010-05-30 22:42:04 1,138 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_NDISRD.reg.dat
2010-05-30 22:41:38 . 2010-05-30 22:41:38 14,417 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-05-30 22:17:48 . 2010-05-30 22:30:01 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2008-10-18 18:27:39 . 2008-10-18 18:27:39 13,749 ----a-w- C:\Qoobox\Quarantine\C\WINNT\jafo.scr.vir
2008-10-18 18:01:10 . 2008-10-18 18:01:10 19,053 ----a-w- C:\Qoobox\Quarantine\C\WINNT\cymavuboxe._sy.vir
2008-10-18 18:01:10 . 2008-10-18 18:01:10 14,525 ----a-w- C:\Qoobox\Quarantine\C\WINNT\agucusaf.scr.vir
2008-10-18 18:01:10 . 2008-10-18 18:01:10 11,372 ----a-w- C:\Qoobox\Quarantine\C\WINNT\ifug._sy.vir
2008-10-13 14:32:43 . 2008-10-18 21:28:09 12 ----a-w- C:\Qoobox\Quarantine\C\WINNT\wiaservv.log.vir
2008-01-14 22:15:52 . 2008-01-14 22:15:52 69,632 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\ndisapi.dll.vir
2004-08-04 23:26:58 . 2008-04-14 00:12:38 135,680 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\taskmrg.exe.vir
2001-08-24 16:00:00 . 2010-03-04 04:39:53 3,891 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\Drivers\etc\lmhosts.vir


Hi,
i had browsed through
http://www.bleepingcomputer.com/forums/t/318714/googleyahoo-search-divert-banksite-pop-up/
and felt that i could achieve the results by following the same process.

i executed mbr.exe and TDSSKiller.exe.
Looks like the browser redirect issue is gone but it would be great if you could confirm that indeed is.
Below are the mbr logs and TDSS logs

MBR Log
-----------

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

---------------------------
TDSS log
---------------
05:15:41:531 13552 TDSS rootkit removing tool 2.3.1.0 May 25 2010 12:52:14
05:15:41:531 13552 ================================================================================
05:15:41:531 13552 SystemInfo:

05:15:41:531 13552 OS Version: 5.1.2600 ServicePack: 3.0
05:15:41:531 13552 Product type: Workstation
05:15:41:531 13552 ComputerName: L-4000367
05:15:41:531 13552 UserName: Durgarani
05:15:41:531 13552 Windows directory: C:\WINNT
05:15:41:531 13552 Processor architecture: Intel x86
05:15:41:531 13552 Number of processors: 2
05:15:41:531 13552 Page size: 0x1000
05:15:41:531 13552 Boot type: Normal boot
05:15:41:531 13552 ================================================================================
05:15:41:984 13552 Initialize success
05:15:41:984 13552
05:15:41:984 13552 Scanning Services ...
05:15:42:609 13552 Raw services enum returned 373 services
05:15:42:625 13552
05:15:42:625 13552 Scanning Drivers ...
05:15:43:671 13552 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINNT\system32\DRIVERS\ACPI.sys
05:15:43:718 13552 ACPIEC (f179c5b6df6b68bc4131ff9674c395fc) C:\WINNT\system32\DRIVERS\ACPIEC.sys
05:15:43:718 13552 Suspicious file (Forged): C:\WINNT\system32\DRIVERS\ACPIEC.sys. Real md5: f179c5b6df6b68bc4131ff9674c395fc, Fake md5: 9859c0f6936e723e4892d7141b1327d5
05:15:43:718 13552 File "C:\WINNT\system32\DRIVERS\ACPIEC.sys" infected by TDSS rootkit ... 05:15:44:187 13552 Backup copy found, using it..
05:15:44:218 13552 will be cured on next reboot
05:15:44:359 13552 aec (8bed39e3c35d6a489438b8141717a557) C:\WINNT\system32\drivers\aec.sys
05:15:44:437 13552 AegisP (2f7f3e8da380325866e566f5d5ec23d5) C:\WINNT\system32\DRIVERS\AegisP.sys
05:15:44:531 13552 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINNT\System32\drivers\afd.sys
05:15:44:625 13552 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINNT\system32\DRIVERS\arp1394.sys
05:15:44:921 13552 Ascrypto (e38dd4404d290b01a22663e97d0a3823) C:\Program Files\Aventail\Connect\ascrypto.sys
05:15:44:968 13552 Askernel (9e84e753107d25699a6384109ab65fb2) C:\Program Files\Aventail\Connect\asntkrnl.sys
05:15:45:015 13552 Astdi (ec520b0a6c9b0e59bbed5f10239856af) C:\Program Files\Aventail\Connect\asnttdi.sys
05:15:45:062 13552 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINNT\system32\DRIVERS\asyncmac.sys
05:15:45:140 13552 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINNT\system32\DRIVERS\atapi.sys
05:15:45:234 13552 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINNT\system32\DRIVERS\atmarpc.sys
05:15:45:281 13552 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINNT\system32\DRIVERS\audstub.sys
05:15:45:328 13552 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINNT\system32\drivers\cbidf2k.sys
05:15:45:359 13552 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINNT\system32\DRIVERS\CCDECODE.sys
05:15:45:390 13552 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINNT\system32\drivers\Cdaudio.sys
05:15:45:468 13552 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINNT\system32\drivers\Cdfs.sys
05:15:45:531 13552 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINNT\system32\DRIVERS\cdrom.sys
05:15:45:671 13552 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINNT\system32\DRIVERS\CmBatt.sys
05:15:45:718 13552 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINNT\system32\DRIVERS\compbatt.sys
05:15:45:765 13552 CVirtA (5c706c06c1279952d2cc1a609ca948bf) C:\WINNT\system32\DRIVERS\CVirtA.sys
05:15:45:812 13552 CVPNDRVA (5ba042bcab6246c6bba51606afd7b488) C:\WINNT\system32\Drivers\CVPNDRVA.sys
05:15:45:906 13552 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINNT\system32\DRIVERS\disk.sys
05:15:46:078 13552 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINNT\system32\drivers\dmboot.sys
05:15:46:296 13552 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINNT\system32\drivers\dmio.sys
05:15:46:375 13552 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINNT\system32\drivers\dmload.sys
05:15:46:484 13552 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINNT\system32\drivers\DMusic.sys
05:15:46:593 13552 DNE (2eddbb3ef1dd5a28cb07c149d36e7286) C:\WINNT\system32\DRIVERS\dne2000.sys
05:15:46:625 13552 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINNT\system32\drivers\drmkaud.sys
05:15:46:937 13552 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
05:15:47:000 13552 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
05:15:47:062 13552 f5ipfw (06babcfbe83453d1673878afa5d5b8c2) C:\WINNT\system32\drivers\urfltw2k.sys
05:15:47:140 13552 Fastfat (38d332a6d56af32635675f132548343e) C:\WINNT\system32\drivers\Fastfat.sys
05:15:47:203 13552 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINNT\system32\drivers\Fdc.sys
05:15:47:234 13552 FilterService (bcef16e3aedd1b44bca45f748d975d73) C:\WINNT\system32\DRIVERS\lvuvcflt.sys
05:15:47:281 13552 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINNT\system32\drivers\Fips.sys
05:15:47:312 13552 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINNT\system32\drivers\Flpydisk.sys
05:15:47:375 13552 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINNT\system32\drivers\fltmgr.sys
05:15:47:406 13552 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINNT\system32\drivers\Fs_Rec.sys
05:15:47:484 13552 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINNT\system32\DRIVERS\ftdisk.sys
05:15:47:640 13552 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINNT\system32\Drivers\GEARAspiWDM.sys
05:15:47:687 13552 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINNT\system32\DRIVERS\msgpc.sys
05:15:47:734 13552 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINNT\system32\DRIVERS\HDAudBus.sys
05:15:47:750 13552 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINNT\system32\DRIVERS\hidusb.sys
05:15:47:906 13552 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINNT\system32\Drivers\HTTP.sys
05:15:48:156 13552 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINNT\system32\DRIVERS\i8042prt.sys
05:15:48:343 13552 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINNT\system32\DRIVERS\ialmnt5.sys
05:15:48:484 13552 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINNT\system32\DRIVERS\imapi.sys
05:15:48:734 13552 IntcAzAudAddService (a5d5b8c427f4b67580fb2b511291a89d) C:\WINNT\system32\drivers\RtkHDAud.sys
05:15:48:859 13552 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINNT\system32\DRIVERS\intelppm.sys
05:15:48:968 13552 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINNT\system32\drivers\ip6fw.sys
05:15:49:015 13552 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINNT\system32\DRIVERS\ipfltdrv.sys
05:15:49:078 13552 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINNT\system32\DRIVERS\ipinip.sys
05:15:49:125 13552 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINNT\system32\DRIVERS\ipnat.sys
05:15:49:187 13552 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINNT\system32\DRIVERS\ipsec.sys
05:15:49:234 13552 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINNT\system32\DRIVERS\irenum.sys
05:15:49:562 13552 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINNT\system32\DRIVERS\isapnp.sys
05:15:49:843 13552 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINNT\system32\DRIVERS\kbdclass.sys
05:15:50:187 13552 klmd23 (0b06b0a25e08df0d536402bce3bde61e) C:\WINNT\system32\drivers\klmd.sys
05:15:50:375 13552 kmixer (692bcf44383d056aed41b045a323d378) C:\WINNT\system32\drivers\kmixer.sys
05:15:50:562 13552 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINNT\system32\drivers\KSecDD.sys
05:15:51:078 13552 LVcKap (8113133ec42dd6c566908008ce913edd) C:\WINNT\system32\DRIVERS\LVcKap.sys
05:15:51:328 13552 LVMVDrv (0dd5b8af4917a2821047450195c511b3) C:\WINNT\system32\DRIVERS\LVMVDrv.sys
05:15:51:703 13552 lvpopflt (e1158b0cb852db0573922c92e6e564de) C:\WINNT\system32\DRIVERS\lvpopflt.sys
05:15:51:890 13552 LVPr2Mon (406b1d186f75b4b4832d6237859e1b00) C:\WINNT\system32\DRIVERS\LVPr2Mon.sys
05:15:51:937 13552 LVUSBSta (be5e104be263921d6842c555db6a5c23) C:\WINNT\system32\drivers\LVUSBSta.sys
05:15:52:109 13552 LVUVC (eacd1eb2d82ed2adc753afeee1d4d660) C:\WINNT\system32\DRIVERS\lvuvc.sys
05:15:52:343 13552 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINNT\system32\drivers\mnmdd.sys
05:15:52:406 13552 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINNT\system32\drivers\Modem.sys
05:15:52:468 13552 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINNT\system32\DRIVERS\mouclass.sys
05:15:52:531 13552 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINNT\system32\DRIVERS\mouhid.sys
05:15:52:593 13552 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINNT\system32\drivers\MountMgr.sys
05:15:52:625 13552 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINNT\system32\DRIVERS\mrxdav.sys
05:15:52:718 13552 MRxSmb (421f7b922cec5a5f340e7574a98f7b7c) C:\WINNT\system32\DRIVERS\mrxsmb.sys
05:15:52:859 13552 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINNT\system32\drivers\Msfs.sys
05:15:52:890 13552 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINNT\system32\drivers\MSKSSRV.sys
05:15:52:937 13552 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINNT\system32\drivers\MSPCLOCK.sys
05:15:52:984 13552 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINNT\system32\drivers\MSPQM.sys
05:15:53:031 13552 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINNT\system32\DRIVERS\mssmbios.sys
05:15:53:062 13552 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINNT\system32\drivers\MSTEE.sys
05:15:53:218 13552 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINNT\system32\drivers\Mup.sys
05:15:53:250 13552 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINNT\system32\DRIVERS\NABTSFEC.sys
05:15:53:390 13552 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100530.003\naveng.sys
05:15:53:453 13552 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100530.003\navex15.sys
05:15:53:546 13552 NDIS (1df7f42665c94b825322fae71721130d) C:\WINNT\system32\drivers\NDIS.sys
05:15:53:656 13552 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINNT\system32\DRIVERS\NdisIP.sys
05:15:53:687 13552 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINNT\system32\DRIVERS\ndistapi.sys
05:15:53:718 13552 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINNT\system32\DRIVERS\ndisuio.sys
05:15:53:750 13552 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINNT\system32\DRIVERS\ndiswan.sys
05:15:53:781 13552 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINNT\system32\drivers\NDProxy.sys
05:15:53:843 13552 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINNT\system32\DRIVERS\netbios.sys
05:15:53:921 13552 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINNT\system32\DRIVERS\netbt.sys
05:15:54:062 13552 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINNT\system32\DRIVERS\nic1394.sys
05:15:54:109 13552 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINNT\system32\drivers\Npfs.sys
05:15:54:156 13552 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINNT\system32\drivers\Ntfs.sys
05:15:54:171 13552 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINNT\system32\drivers\Null.sys
05:15:54:218 13552 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINNT\system32\DRIVERS\nwlnkflt.sys
05:15:54:281 13552 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINNT\system32\DRIVERS\nwlnkfwd.sys
05:15:54:375 13552 O2MDRDR (9be9afaf92f5f46d109694bbe33c3bda) C:\WINNT\system32\DRIVERS\o2media.sys
05:15:54:484 13552 O2SDRDR (12a6d826a1a27818170552f2495a567a) C:\WINNT\system32\DRIVERS\o2sd.sys
05:15:54:531 13552 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINNT\system32\DRIVERS\ohci1394.sys
05:15:54:578 13552 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINNT\system32\drivers\Parport.sys
05:15:54:640 13552 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINNT\system32\drivers\PartMgr.sys
05:15:54:671 13552 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINNT\system32\drivers\ParVdm.sys
05:15:54:750 13552 PCI (a219903ccf74233761d92bef471a07b1) C:\WINNT\system32\DRIVERS\pci.sys
05:15:54:890 13552 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINNT\system32\DRIVERS\pciide.sys
05:15:54:968 13552 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINNT\system32\drivers\Pcmcia.sys
05:15:55:078 13552 pfc (6c1618a07b49e3873582b6449e744088) C:\WINNT\system32\drivers\pfc.sys
05:15:55:140 13552 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINNT\system32\DRIVERS\raspptp.sys
05:15:55:218 13552 prepdrvr (2a4514a9233d35a355f569ff8b8f6240) C:\WINNT\system32\CCM\prepdrv.sys
05:15:55:234 13552 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINNT\system32\DRIVERS\ptilink.sys
05:15:55:390 13552 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINNT\system32\Drivers\PxHelp20.sys
05:15:55:468 13552 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINNT\system32\DRIVERS\rasacd.sys
05:15:55:515 13552 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINNT\system32\DRIVERS\rasl2tp.sys
05:15:55:562 13552 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINNT\system32\DRIVERS\raspppoe.sys
05:15:55:609 13552 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINNT\system32\DRIVERS\raspti.sys
05:15:55:703 13552 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINNT\system32\DRIVERS\rdbss.sys
05:15:55:828 13552 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINNT\system32\DRIVERS\RDPCDD.sys
05:15:55:875 13552 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINNT\system32\DRIVERS\rdpdr.sys
05:15:55:906 13552 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINNT\system32\drivers\RDPWD.sys
05:15:56:000 13552 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINNT\system32\DRIVERS\redbook.sys
05:15:56:062 13552 RT73 (11c29282dc52e474c432b1b9e9c360cd) C:\WINNT\system32\DRIVERS\rt73.sys
05:15:56:125 13552 RTL8023xp (7889e3981e0a5d347e037abd467d53a5) C:\WINNT\system32\DRIVERS\Rtnicxp.sys
05:15:56:203 13552 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
05:15:56:218 13552 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
05:15:56:359 13552 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINNT\system32\DRIVERS\sdbus.sys
05:15:56:421 13552 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINNT\system32\DRIVERS\secdrv.sys
05:15:56:484 13552 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINNT\system32\drivers\Serial.sys
05:15:56:500 13552 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINNT\system32\drivers\Sfloppy.sys
05:15:56:546 13552 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINNT\system32\DRIVERS\SLIP.sys
05:15:56:625 13552 smserial (2c8cffd3b62726e2bca0bfa8b6b02c73) C:\WINNT\system32\DRIVERS\smserial.sys
05:15:56:843 13552 smsmdd (4b4ab78e866bbecf93f6eabc3270178a) C:\WINNT\system32\DRIVERS\smsmdm.sys
05:15:56:968 13552 SPBBCDrv (ef9760a364d836a0ce6149ebdf71524d) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
05:15:57:031 13552 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINNT\system32\drivers\splitter.sys
05:15:57:109 13552 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINNT\system32\DRIVERS\sr.sys
05:15:57:171 13552 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINNT\system32\DRIVERS\srv.sys
05:15:57:296 13552 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINNT\system32\DRIVERS\StreamIP.sys
05:15:57:328 13552 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINNT\system32\DRIVERS\swenum.sys
05:15:57:359 13552 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINNT\system32\drivers\swmidi.sys
05:15:57:421 13552 SymEvent (49b20b430a4f219173f823536944474a) C:\WINNT\system32\Drivers\SYMEVENT.SYS
05:15:57:484 13552 SYMREDRV (626f733be7f951116c5c0804b068666c) C:\WINNT\System32\Drivers\SYMREDRV.SYS
05:15:57:546 13552 SYMTDI (cb7cc4ddbe09e224d4cd876760ba982c) C:\WINNT\System32\Drivers\SYMTDI.SYS
05:15:57:640 13552 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINNT\system32\drivers\sysaudio.sys
05:15:57:828 13552 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINNT\system32\DRIVERS\tcpip.sys
05:15:57:843 13552 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINNT\system32\drivers\TDPIPE.sys
05:15:57:890 13552 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINNT\system32\drivers\TDTCP.sys
05:15:57:953 13552 TermDD (88155247177638048422893737429d9e) C:\WINNT\system32\DRIVERS\termdd.sys
05:15:58:015 13552 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINNT\system32\drivers\Udfs.sys
05:15:58:109 13552 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINNT\system32\DRIVERS\update.sys
05:15:58:203 13552 urvpndrv (e6264b89c494d2efbf0a51629089da0e) C:\WINNT\system32\DRIVERS\covpndrv.sys
05:15:58:250 13552 USBAAPL (c1ca131f4e3ed63d6bc89a35ffad4cda) C:\WINNT\system32\Drivers\usbaapl.sys
05:15:58:265 13552 usbaudio (e919708db44ed8543a7c017953148330) C:\WINNT\system32\drivers\usbaudio.sys
05:15:58:296 13552 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINNT\system32\DRIVERS\usbccgp.sys
05:15:58:328 13552 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINNT\system32\DRIVERS\usbehci.sys
05:15:58:359 13552 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINNT\system32\DRIVERS\usbhub.sys
05:15:58:421 13552 usbprint (a717c8721046828520c9edf31288fc00) C:\WINNT\system32\DRIVERS\usbprint.sys
05:15:58:515 13552 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINNT\system32\DRIVERS\usbser.sys
05:15:58:593 13552 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINNT\system32\DRIVERS\USBSTOR.SYS
05:15:58:656 13552 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINNT\system32\DRIVERS\usbuhci.sys
05:15:58:734 13552 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINNT\System32\drivers\vga.sys
05:15:58:843 13552 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINNT\system32\drivers\VolSnap.sys
05:15:58:937 13552 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINNT\system32\DRIVERS\wanarp.sys
05:15:58:968 13552 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINNT\system32\drivers\wdmaud.sys
05:15:59:015 13552 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINNT\system32\DRIVERS\wpdusb.sys
05:15:59:109 13552 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINNT\system32\DRIVERS\WSTCODEC.SYS
05:15:59:203 13552 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINNT\system32\DRIVERS\WudfPf.sys
05:15:59:296 13552 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINNT\system32\DRIVERS\wudfrd.sys
05:15:59:312 13552 Reboot required for cure complete..
05:15:59:687 13552 Cure on reboot scheduled successfully
05:15:59:687 13552
05:15:59:687 13552 Completed
05:15:59:687 13552
05:15:59:687 13552 Results:
05:15:59:687 13552 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
05:15:59:687 13552 File objects infected / cured / cured on reboot: 1 / 0 / 1
05:15:59:687 13552
05:15:59:687 13552 KLMD(ARK) unloaded successfully

Edited by Orange Blossom, 30 May 2010 - 10:16 PM.
Move to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:51 PM

Posted 02 June 2010 - 03:11 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:51 PM

Posted 07 June 2010 - 05:32 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users